Re: [Hipsec] Opsdir last call review of draft-ietf-hip-dex-06

Robert Moskowitz <> Fri, 02 March 2018 18:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 625B012E8C1; Fri, 2 Mar 2018 10:15:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AvOFrcyMALvR; Fri, 2 Mar 2018 10:15:52 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5337912E884; Fri, 2 Mar 2018 10:15:45 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id CFBEB622A7; Fri, 2 Mar 2018 13:15:43 -0500 (EST)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id z0j3goXdS3HE; Fri, 2 Mar 2018 13:15:39 -0500 (EST)
Received: from (unknown []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 10D1762272; Fri, 2 Mar 2018 13:15:37 -0500 (EST)
To: Qin Wu <>,
References: <>
From: Robert Moskowitz <>
Message-ID: <>
Date: Fri, 02 Mar 2018 13:15:35 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [Hipsec] Opsdir last call review of draft-ietf-hip-dex-06
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Mar 2018 18:15:59 -0000

On 02/23/2018 03:23 AM, Qin Wu wrote:
> Reviewer: Qin Wu
> Review result: Ready
> Summary:
> This document defines the Host Identity Protocol Diet EXchange (HIP
>     DEX) protocol for constrained devices. The draft is well written. I believe
>     it is ready for publication.
> Major issue: None
> Minor issue: Editorial
> 1.It is not clear how fine-grained policy control defined in IKEv2 is different
> from policy control defined in HIP DEX protocol?

There is a long-standing difference in HIP to IKE policy.  I am 
"shooting from the hip" a bit here, as it has been years since having 
this sort of discussion.  For starters, HIP does not have policyu bound 
to an interface IP address.  Then there is the nature of parameters in 
HIP DEX like the size of the cookie puzzle and how in some IOT cases, 
this can actually be used as an attack so policy may be used to manage 
this.  Much is left to the implementer, it is true.

>   In the draft, local policies
> are mentioned many times, however it is not clear what local policy for HIP DEX
> Protocol looks like?

To this I have to defer to Rene, who has implemented DEX...

>   Is it possbile to carry policy control parameters(e.g.,
> ACL parameter) in the HIP DEX protocol message?

HIP has avoided negotiating policies, and thus carrying them in 
messages.  I am working some drafts that does provide for limited policy 
control parameters.

>   Would it be great to provide
> example to clarify this. 2. Is Nonce I same as radom value #I? 3. Is puzzle
> difficulty K same as #K used in the HIP R1 described in section 7? 4. Is puzzle
> difficulty K same as low-order #K bits of the RHASH? If the answer is yes,
> please make the term and symbol used in the draft consistent.

Good catch on this.  I will check this over.